First TraceMonkey vulnerability calls for Firefox 3.5.1

Developers on the “Shiretoko” track for Mozilla’s new open source Firefox 3.5 Web browser now have very good reason to expect a ship date for the first round of bug fixes and vulnerabilities. A very big vulnerability has turned up in just the wrong place: a public site for posting exploits.

The problem is a new permutation of an old exploit technique that, ironically, was first brought to prominence in 2006 by a package called “Internet Exploiter.” It’s called a heap spray, comprised of shellcode that’s set to be distributed into an area in blocks, a bit like spraying bricks into a wall. The resulting pattern may contain executable code that can be triggered through an overflow; and in this case, it’s version 3.5’s embedded font support, using the <FONT /> tag, that’s the trigger.

A check of the Bugzilla database this morning does not indicate the issue as an active security bug among Mozilla testers. However, security firm Secunia rates the vuln “Extremely Critical,” as the published exploit is believed to be in use in the wild.

In its proof-of-concept distribution, the exploit triggers CALC.EXE in Windows, though it’s an academic matter for someone to make that trigger run other code, perhaps an arbitrary payload. Though this exploit is not a “virus” per se, despite how some local TV newscasts may portray it, certainly the arbitrary payload this trigger may enable could be infectious.

Though a general planning meeting for next-stage Firefox development was scheduled for yesterday morning, and security problems were scheduled to be on the agenda, apparently this latest exploit had not yet cropped up at the time developers met. Meeting notes published yesterday concerning the bug fix schedule for 3.5.1 read, “Contrary to some reports on the Internet, this is the usual process for Firefox and software releases; the 3.5 release was strong, stable and solid, and feedback has been extremely positive. Near the end of the release we become extremely conservative about patches to accept; the 3.5.1 release is a quick update to fold in some patches that came up late in the 3.5 release cycle.”

Candidate builds of 3.5.1 were scheduled for next week, though today’s discovery may accelerate the release process.